CVE-2023-5529 in Advanced Page Visit Counter Plugin
Summary
by MITRE • 05/15/2025
The Advanced Page Visit Counter WordPress plugin before 8.0.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 05/16/2025
The Advanced Page Visit Counter WordPress plugin versions prior to 8.0.6 contain a critical stored cross-site scripting vulnerability that affects high-privilege users with administrative capabilities. This vulnerability stems from insufficient sanitization and escaping of user-controllable input within the plugin's settings management functionality. The flaw specifically impacts environments where the unfiltered_html capability has been restricted, such as multisite WordPress installations, creating a dangerous attack vector that bypasses standard security restrictions designed to prevent malicious script execution.
The technical implementation of this vulnerability occurs when administrators or other high-privilege users modify plugin settings that contain user-supplied data without proper input validation and output escaping mechanisms. The plugin fails to adequately process and sanitize parameters that are later rendered in web pages, allowing malicious JavaScript code to be stored in the database and subsequently executed in the context of other users' browsers. This stored XSS vulnerability operates at the application layer and can be exploited through the WordPress admin interface where settings are configured, making it particularly dangerous in multi-user environments where administrative privileges are distributed.
The operational impact of this vulnerability extends beyond simple script execution, as it can enable attackers with administrative access to escalate their privileges or compromise entire WordPress installations. In multisite configurations where the unfiltered_html capability is explicitly disabled, this vulnerability becomes even more critical since it allows attackers to bypass the intended security controls that should prevent the execution of potentially malicious content. The attack vector requires minimal privileges, as any user with administrative access can leverage this flaw to inject malicious scripts that persist across user sessions and can be triggered when other users view affected pages or settings.
Security professionals should note that this vulnerability aligns with CWE-79, which specifically addresses cross-site scripting flaws in web applications. The issue also maps to ATT&CK technique T1548.002, which covers privilege escalation through exploitation of application vulnerabilities. Organizations should immediately upgrade to Advanced Page Visit Counter plugin version 8.0.6 or later to remediate this vulnerability. Additionally, implementing proper input validation and output escaping mechanisms, regularly auditing plugin security configurations, and maintaining updated security policies are essential defensive measures. The vulnerability demonstrates the critical importance of proper sanitization practices in web application development, particularly when handling user-controllable data in administrative interfaces where security restrictions are intended to be enforced.